Severity

medium

Vendor

VMware Tanzu

Versions Affected

• Canonical Ubuntu 22.04

It was discovered that libuv incorrectly truncated certain hostnames. A remote attacker could possibly use this issue with specially crafted hostnames to bypass certain checks. Update Instructions: Run `sudo pro fix USN-6666-1` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libuv1-dev - 1.34.2-1ubuntu1.5 libuv1 - 1.34.2-1ubuntu1.5 No subscription required.

Fixed and Unaffected VMware Products and Versions

• Cflinixfs4
• 1.79.0 or greater
• Jammy Stemcells
• 1.404 or greater
• CF Deployment
• All unaffected
• Isolation Segment
• 4.0.19+LTS-T or greater
• 5.0.9 or greater
• 6.0.x unaffected
• VMware Tanzu Applications Service for VMs
• 4.0.19+LTS-T or greater
• 5.0.9 or greater
• 6.0.x unaffected
• MySQL for VMware Tanzu
• 3.3.x unaffected
• Operations Manager
• 3.0.25+LTS-T or greater

References

https://ubuntu.com/security/notices/USN-6666-1

https://www.cloudfoundry.org/blog/usn-6666-1

https://cve.mitre.org/cgi-bin/cvename.cgi?name=usn-6666-1

https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24837

History

2024-02-28: Initial vulnerability report published.